Page 33 - index
P. 33
Don’t Let Human Nature Undermine Security: Brute-Force and
Exploit Attacks
Imagine you are standing within the walls of a long
hallway lined with closed doors on either side. One of
those doors hides a valuable artifact, and you are
presented with a keychain that holds several keys.
This scenario is an analogy for what happens in an
information security event known as a brute-force
attack. The attacker knows there is an important piece
of information (the valuable artifact) hidden on a web
server somewhere (the room). The attacker also has an
exhaustive list of predefined passwords (the keychain)
that they will try to use to gain access to the web server.
The general idea in a brute-force attack is to attempt
every password until the attacker gains unauthorized
access to the server.
Now imagine all the doors have metal locks. Instead of
trying every key in every door, you could just start
checking if the locks are rusty or damaged, and try to
force the doors open in order to get access. This is how
an exploit or vulnerability attack works, by taking
advantage of some flaw in the system to obtain unauthorized access.
In an exploit attack, you are relying on the weaknesses of the system itself (the rusty or
damaged locks) to gain illicit entry. In this scenario, you have to hope that there is a flaw in the
security plan to get in; an overlooked piece of infrastructure with a vulnerability, or perhaps a
zero-day flaw threat like the Heartbleed or Shellshock bugs. But in the case of brute-force
attacks the landscape is different. Here, the exploited vulnerability is a human one: the tendency
to choose weak passwords.
Brute-force attacks are time and resource-consuming compared with an exploit attack.
Depending on the system, the attacker will require anything from a couple of computers to a
botnet of hundreds of zombie machines just to get started. Additionally, the attacker will need to
plan how to hijack the system carefully, because there are extra security controls that emit
warnings whenever there are continuous failed login attempts over a specific period of time.
However, if a hacker doesn’t have access to a zero-day vulnerability, a more complex brute-
force attack will have to do, even if it has less chance of being successful.
33 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
